Tokenization creates a pseudonym (e.g., a token) for an original data element. The token can be used in lieu of the original data element for communication or storage. Many tokenization systems offer a detokenization component, which often includes a token vault. The token vault is a database of tokens and original data elements. Currently, a Token Service Provider (TSP) is not the sole controller of the token vault. For example, in order to generate a payment token (e.g., a tokenized Primary Account number (PAN) for a bank card), the PAN is sent to a corresponding payment network (e.g., Visa, MasterCard, and the like). A token is returned and stored on the cardholder's device (e.g., a mobile device) and used for future transactions. Upon an payment authorization request being received by an issuer (e.g., a financial institution), the token is used to find the PAN, and the PAN is used to find the cardholder's profile to determine whether the transaction should be authorized. Each financial institution manages a token vault even though the token is issued by the payment networks. For example, storing tokens within a token vault with the original data elements makes the token vault a high-risk target.